Microsoft Cloud Security Woes Inspire DHS Security Review

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Cloud Security Woes Inspire DHS Security Review


Can the government help fix whats wrong in cloud security? An upcoming investigation is going to try.



The US Department of Homeland Security (DHS) late last week kicked off an investigation into the threat of cyberattacks against cloud computing environments as Microsoft faces intense scrutiny over its handling of a major attack on its Azure cloud infrastructure.
On Aug. 11, DHS announced the next project for its Cyber Safety Review Board (CSRB), a joint public-private subgroup which in the past year and a half has investigated
the Log4j vulnerability
, and the Lapsus$ group (the results of which were
released on Aug. 10
). This third endeavor will focus on issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs and their customers,
DHS said in an announcement.
Some experts consider the move a good start to mending whats broken in cloud security services today.
The CSRB review was spurred by
the recent breach of Microsofts Azure cloud service
, prosecuted successfully by a Chinese APT which Microsoft tracks as Storm-0558. The campaign compromised dozens of public sector agencies, as well as many private companies, and
the full scope of the damage is not yet clear
. DHS began considering whether this incident would be an appropriate subject of the Boards next review immediately upon learning of the incident in July, it noted.
The recent Microsoft incident opened the door to this type of direct action, and DHS walked right in, explains Craig Burland, CISO at Inversion6. While many will likely voice opposition to the government stepping, uninvited, into a new realm of regulation, organizations both large and small will benefit from a shift in shared responsibility to upgrade the default protections offered to all cloud clients.
As Karen Walsh, CEO at Allegro Solutions, points out, the review is a step towards implementing the
US National Cybersecurity Strategys
Objective 2.4, Prevent Abuse of U.S.-Based Infrastructure, an initiative meant to disrupt and dismantle threat actors targeting American organizations.
Beyond this broader initiative, theres a deeper, more structural issue at hand.
Recent months have brought repeated instances of severe vulnerabilities in cloud infrastructure, even from the most sophisticated providers like Microsoft. AWS has
leaked tokens
,
its new features have been compromised
, and threat actors have regularly
leveraged it to steal sensitive business data
and perform follow-on attacks. Google Cloud has experienced
its own issues with stolen tokens
, as well as
its database service
and
certain kinds of content
, and
has suffered its own breaches
as of late.
Clearly the cloud is at risk, but end users often dont hear about it, because cloud providers manage their own systems. Without the need for customers to patch, the model for disclosure changes as well. For example, cloud vulnerabilities are not assigned traditional CVEs.
The lack of clarity in who bears what responsibilities in securing cloud environments, and how to communicate between vendor and customer, has begun to have serious ramifications in real world cyberattacks.
Some see Microsoft Azure as an example of where
the shared responsibility model
failed, because it wasnt merely that a hostile state-aligned APT breached Azure Active Directory (AD), affecting the government and up to millions of Microsoft 365 applications. The greater offense, they say, is the manner in which Microsoft has handled the disclosure and review process.
For many customers and investors, it was disappointing to see Microsoft in the news yet again for security reasons, says Claude Mandy, chief evangelist for data security at Symmetry Systems. More than a month after the breach was initially disclosed, he emphasizes, the details on how the breach occurred and its potential impact are still vague, with no certainty provided by Microsoft. Instead, concerns and assessments are only being raised by outside cybersecurity researchers. As an industry, we are demanding more transparency.
In particular, Mandy takes issue with how Microsoft, until recently, withheld security logging as an upcharge for 365 customers. Microsoft was restricting companies from having essential security features unless they pay more, he says, putting a burden on its customers. Microsoft has since
reversed this policy
.
That sentiment was seconded by security researchers at Tenable, who on Aug. 3 published the details of
an entirely separate Azure vulnerability
enabling certain unauthorized access to cross-tenant applications and the sensitive data, including authentication secrets. To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank, Tenable CEO Amit Yoran
wrote in a LinkedIn post
.
In a statement provided to Dark Reading, Microsoft claimed that the issue was mitigated for a majority of customers in June, and has since been fully resolved.
But Tenable researchers push back on that explanation, writing that Microsoft has remediated this vulnerability for any new applications using the affected service, however, existing applications that were developed and deployed prior to that remediation are still affected and vulnerable.
A Microsoft spokesperson provided the following explanation:
We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.
Walsh and others are hoping that the government action can help bridge the kinds of security and communications breakdowns at the heart of stories like these.
As the CSRB engages more deeply in this review, cloud service providers will likely bear more burden under the Shared Responsibility Model. A major through line from the National Cybersecurity Strategy is shifting responsibility to organizations that have more resources. In this case, providers have more resources than their customers, she says.
Burland seconds the need to shift more security burden from customers to vendors. Today, the CSPs hold much of the power in the shared responsibility model, essentially protecting their own assets while expecting less capable, less knowledgeable customers to do the same, he bemoans.
If the findings of the CSRB spark immediate changes to the shared responsibility model, it will have been a success and further the administrations strategic goals. If the findings simply plant seeds that new regulations may be on the horizon, it will still be a success, he says. In either case, the review will advance another chess piece forward on the board, positioning the government to demand and ensure a common defense against cybersecurity threats.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Cloud Security Woes Inspire DHS Security Review